Signed Integer Overflow in Perl's Storable Module Affects Multiple Versions
CVE-2026-57433

Currently unrated

Key Information:

Vendor

Haarg

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-57433?

The Storable module in Perl prior to version 3.41 contains a vulnerability that arises from a signed integer overflow during the deserialization of crafted SX_HOOK records. Specifically, the 'retrieve_hook_common' function reads a signed 32-bit item count, which can be manipulated to trigger an overflow when augmented by one. If the item count is set to I32_MAX, this leads to a negative value being passed to the 'av_extend' function, causing the process to panic and terminate unexpectedly. This vulnerability emphasizes the need for careful validation and handling of input data in serialization processes.

Affected Version(s)

Storable 0 < 3.41

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.